Not sure if your org uses WPA2 Enterprise to have user authenticate onto your network. We have been testing it out and really like it. Our current way is just pushing our wireless credentials during DEP, but with iOS 11 and WiFi sharing we have been asked to re-evaluate our practices.
Thoughts? How are you doing it?
Find this helpful? Click the kudos button. Thanks!
Generally speaking, the #1 best and common practice is WPA2-Enterprise which leverages 802.1X/EAP with a RADIUS server which in turn queries an external LDAP database (very commonly AD). This covers everything you need with respect to AAA, mutual tunneled authentication, RBAC, and a variety of EAP types to fit various requirements, and to handle both wired and wireless use cases. You mentioned DEP and iOS 11 so if you have it, RADIUS can also query Open Directory. And if you're using Meraki Systems Manager you can also leverage that for things like client certificate distribution to implement EAP-TLS, without the need to stand up your own PKI or do all the cumbersome certificate management. Anyway, definitely read up on 802.1X/EAP and RADIUS to plan out your AAA services on your network.